Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@FinishKit MCP Serverscan my-org/web-app for security vulnerabilities and blockers"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
@finishkit/mcp
MCP server for FinishKit. Enables AI agents in Cursor, Claude Desktop, Windsurf, and VS Code Copilot to scan GitHub repositories for security vulnerabilities, deployment blockers, and code quality issues.
What AI Agents Can Do
Tool | Description | Primary Use Case |
| Trigger a full scan and wait for completion | Check if a repo is production-ready |
| Check progress of an in-flight scan | Poll a previously triggered scan |
| Retrieve detailed findings filtered by category or severity | Review security issues, blockers, etc. |
| Retrieve auto-generated code patches with unified diffs | Apply FinishKit's suggested fixes |
| List all connected repositories and last scan dates | Discover which repos are configured |
| Get guided instructions to link a new GitHub repo | Onboard a new repository |
Quick Start
Get an API key at finishkit.app/dashboard/settings?tab=developer, then configure your MCP client.
Claude Desktop
Edit ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"finishkit": {
"command": "npx",
"args": ["-y", "@finishkit/mcp"],
"env": {
"FINISHKIT_API_KEY": "fk_live_..."
}
}
}
}Cursor
Add to .cursor/mcp.json in your project root (or ~/.cursor/mcp.json globally):
{
"finishkit": {
"command": "npx",
"args": ["-y", "@finishkit/mcp"],
"env": {
"FINISHKIT_API_KEY": "fk_live_..."
}
}
}Windsurf
Edit ~/.codeium/windsurf/mcp_config.json:
{
"finishkit": {
"command": "npx",
"args": ["-y", "@finishkit/mcp"],
"env": {
"FINISHKIT_API_KEY": "fk_live_..."
}
}
}VS Code Copilot Chat
Add to .vscode/mcp.json in your workspace (or user settings):
{
"servers": {
"finishkit": {
"command": "npx",
"args": ["-y", "@finishkit/mcp"],
"env": {
"FINISHKIT_API_KEY": "${env:FINISHKIT_API_KEY}"
}
}
}
}After configuring, restart your AI client and try: "Scan myorg/my-app for security issues"
Tools Reference
scan_repo (Primary Tool)
Scan a GitHub repository with FinishKit to detect security vulnerabilities, deployment blockers, stability issues, test coverage gaps, and UI problems. This is the primary tool - it handles the full scan lifecycle: finds the project, triggers a new scan run, polls until completion (typically 2-8 minutes), and returns a comprehensive summary of all findings.
Parameter | Type | Required | Description |
| string | Yes | GitHub org or username (e.g., |
| string | Yes | Repository name without owner (e.g., |
| enum | No |
|
| string | No | Specific commit to scan; defaults to latest |
Returns: Finding counts by severity and category, human-readable summary, dashboard URL.
get_scan_status
Check the current status of an in-progress FinishKit scan. Returns the scan phase, progress percentage, and estimated time remaining. Use this to check a scan triggered in a previous session.
Parameter | Type | Required | Description |
| string | Yes | Run ID from |
get_findings
Retrieve detailed findings from a completed scan. Each finding includes file path, line numbers, severity, category, detailed explanation, and suggested fix.
Parameter | Type | Required | Description |
| string | Yes | Run ID of a completed scan |
| enum | No |
|
| enum | No | Minimum severity: |
| number | No | Max findings to return (1-100, default 50) |
get_patches
Retrieve automatically generated code patches from a completed scan. Each patch includes the unified diff, application status, and verification status.
Parameter | Type | Required | Description |
| string | Yes | Run ID of a completed scan |
list_projects
List all FinishKit projects connected to your account, with their last scan date and repository details. No inputs required.
create_project
Get guided instructions for creating a new FinishKit project by linking a GitHub repository. Directs to the dashboard for GitHub App installation.
Parameter | Type | Required | Description |
| string | Yes | GitHub org or username |
| string | Yes | Repository name |
Resources Reference
URI | Description |
| All projects as a JSON array |
| Single project details by ID |
| All findings for a scan run |
| Full event log for a scan run |
For AI Agents
If you are an AI agent with access to FinishKit MCP tools:
Primary workflow: Scan a repository
Call
scan_repowith the repository owner and nameThe tool handles the full lifecycle (trigger, poll, wait for completion)
Returns finding counts by severity and category
Call
get_findingsfor detailed findings listCall
get_patchesfor generated code fixes
Example: User asks "scan myorg/myapp for security issues"
scan_repo({ repo_owner: "myorg", repo_name: "myapp", run_type: "baseline" })Then:
get_findings({ run_id: "<from scan_repo response>", category: "security" })Handling common errors
"Project not found" - The repository must be connected at https://finishkit.app/dashboard first
"Authentication failed" - The FINISHKIT_API_KEY env var is missing or invalid
"Plan limit reached" - User needs to upgrade at https://finishkit.app/dashboard/settings
Key facts
scan_repotypically takes 2-8 minutes - it blocks until complete, no need to poll separatelyFindings have severity: critical, high, medium, low
Findings have category: blockers, security, deploy, stability, tests, ui
Critical and high findings should be fixed before production deployment
Authentication
Set the FINISHKIT_API_KEY environment variable with your API key:
FINISHKIT_API_KEY=fk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTo get an API key:
Generate a new API key
Copy the key (it starts with
fk_live_)
API keys authenticate via Authorization: Bearer <key> on every request. Keep your key secret - never commit it to source control.
Requirements
Node.js 18+
A FinishKit account (finishkit.app)
At least one repository connected to FinishKit via the GitHub App
Registry Listings
Smithery - Smithery MCP registry
npm: @finishkit/mcp - npm package
License
MIT - Copyright (c) 2026 FinishKit
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.